This repo is used to deploy and maintain various IAM entities.
For our current use case however, we only deploy an IAM user and it's policy for usage when deploying from Github Actions.
As you are probably thinking - "How can you deploy the IAM deployer user without the IAM deployer user?".
Ahh yes, the ol' chicken π and the egg π₯ problem.
To get around this we'll first need to manually create an IAM user and attach a policy that allows us to deploy the resources we require.
Once we have that we'll then be able to go ahead and create the access keys and use them to be able to deploy this stack.
Once deployed we'll then be able to go ahead and remove the manually created user and create the access keys against the new user.
To deploy this repository there are a few repository secrets that we need to set. To add secrets against the repository checkout the official documentation on how to achieve this.
These secret variables are:
| Variable | Description |
|---|---|
| ACCOUNT_ID | The AWS Account ID |
| AWS_ACCESS_KEY_ID | The IAM user Access Key ID |
| AWS_SECRET_ACCESS_KEY | The IAM user Secret Access Key |
I believe we can add a Permission Boundary to solve this
As you can probably see the IAM policy for the deployer role is extremely open π¨
For my use case however, Github Actions is used to deploy. This CI / CD pipeline will only ever be triggered by myself as no other users have write access.